Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.
Published: 2026-03-25
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper control of code generation flaw in the Widget Wrangler plugin that allows an attacker to inject and execute arbitrary code. This code injection (CWE‑94) effectively grants remote execution capabilities, letting an attacker run any command on the WordPress server and potentially take full control of the site. The impact is catastrophic, compromising confidentiality, integrity, and availability of the entire website and any data it hosts.

Affected Systems

The affected product is the Widget Wrangler plugin, developed by Jonathan Daggerhart. All versions from the earliest release up to and including 2.3.9 are vulnerable. There is no minimum version noted; therefore any installation of 2.3.9 or older is at risk.

Risk and Exploitability

The CVSS base score of 9.1 indicates a high‑severity vulnerability. EPSS data is not available, so the probability of exploitation cannot be precisely quantified. The vulnerability is not listed in CISA’s KEV catalog, but the nature of the flaw—remote code execution via a plugin that can be accessed by anyone with access to the website’s admin interface—suggests that exploitation is feasible even without privileged credentials. Attackers would likely craft a malicious request to the plugin’s code generation endpoint to inject code.

Generated by OpenCVE AI on March 25, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Widget Wrangler to a version newer than 2.3.9.
  • If an upgrade cannot be performed immediately, disable or remove the plugin from the WordPress installation.

Generated by OpenCVE AI on March 25, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jonathan Daggerhart
Jonathan Daggerhart widget Wrangler
Wordpress
Wordpress wordpress
Vendors & Products Jonathan Daggerhart
Jonathan Daggerhart widget Wrangler
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.
Title WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References

Subscriptions

Jonathan Daggerhart Widget Wrangler
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:32.913Z

Reserved: 2026-02-02T12:53:47.193Z

Link: CVE-2026-25447

cve-icon Vulnrichment

Updated: 2026-03-25T19:57:00.464Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:50.993

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-25447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:38:22Z

Weaknesses